DoublePulsar – A Very Sophisticated Payload for Windows

In the first week of April 2017, an unknown hacking group called Shadow Brokers leaked an exploitation framework referred as the FuzzBunch, from the Equation Group (one of the most sophisticated attack groups in the world and widely suspected of being tied to the United States National Security Agency (NSA)). This framework consisted of several unauthenticated remote exploits for Windows (such as the exploits codenamed EternalBlue, EternalRomance, and EternalSynergy), Windows implants and other hacking tools. One of these hacking tools is a backdoor implant codenamed DOUBLEPULSAR. It is a backdoor used to inject and run malicious code on an infected system and it gets installed and used by ETERNALBLUE. EternalBlue is an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE and attacks SMB file-sharing services. It is believed to have originated with the NSA. Also to be noted, it is a RAM-resident implant, that is the attack lives in memory. Once a machine is rebooted, it’s gone.

DoublePulsar is a very sophisticated, multi-architecture memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload. It is a full kernel payload giving full control over the system. It does not open new ports but make use of the same port as the one the SMB service runs on. This malware infects computers running Windows and it opens a backdoor through which other malware can be loaded onto infected computers. As per Dan Tentler (CEO and founder of Phobos Croup) once the DoublePulsar is present, it can do any of the four following things:
1) either it responds to a specific ping request (such as a heartbeat),
2) it can uninstall itself,
3) load shellcode, or
4) run a DLL on the host.
These are the only purpose of this malware.

DOUBLEPULSAR is a loading dock for extra malware whose purpose is to provide a covert channel by which to load other malware or executables. All the SMB and RDP exploits in FuzzBunch exploitation framework uses DoublePulsar as the primary payload.

DOUBLEPULSAR exists as a covert channel, which uses SMB features that have so far been not used, in particular, the “Trans2” feature. Trans2 is short for “Transaction 2 Subcommand Extension”. It’s a unique payload because it can infect a system, stay low for a little bit, and come back later when it wants to do something more intrusive. Note that the presence of DOUBLEPULSAR doesn’t mean they’re infected by the NSA. It means there is a loading dock ready and waiting for whatever malware anyone wants to give it.

How to check system is infected with DoublePulsar?

A free tool that can be used to test whether the computer is infected with the DoublePulsar backdoor is available here. Based on the response of port 445 to a particular ping, the test results were obtained. The system running the exploit sends a “trans2 SESSION_SETUP” request to the computer to be tested for backdoor presence. The intent of this request is to check if the system is already compromised. Infected or not, the system will respond with a “Not Implemented” message. But as part of the message, a “Multiplex ID” is returned that is 65 (0x41) for normal systems and 81 (0x51) for infected systems. If a system is infected, then SMB can be used as a covert channel to exfiltrate data or launch remote commands.

Below image show response of DoublePulsar infected system:

Below image shows normal system response. i.e System is not infected by DoublePulsar:

Microsoft patched the flaw way back in March 2017 that EternalBlue exploited. MS17-010 – patches a server message block (SMB) server vulnerability present in every Windows operating system. Even patch for the operating systems that had reached EOL like Windows XP and Windows 2003 was also provided by Microsoft. Also, patches for all the other exploits (EmeraldThread, EternalChampion, ErraticGopher, EsikmoRoll, EternalRomance, EducatedScholar, EternalSynergy, EclipsedWing) used by the NSA Hacking tools are also available from Microsoft.

All these updates can be easily remediated through SecPod Saner. Install Saner to detect these types of threats and stay secure.